formbook | 51a2542d1b273f9d3d1c1b8817d77451c46bdb03e22c7b25c05f383b289305d0

General

Target

PONM100021791.exe
Size

670KB
MD5

6d5164ff97b46d355834bb135fc174cd
SHA1

d8263265426c4d673948be661d6254c49e1da6b2
SHA256

51a2542d1b273f9d3d1c1b8817d77451c46bdb03e22c7b25c05f383b289305d0
SHA512

31b615ea6c4c0ae87bc3a23688eecd0283e56266223c24887b58c47b1839d10d2c0e8c11f6b0b004e6acec83e7492819ce63387e0bfe865b24cddc07773c3cd0
SSDEEP

12288:OVAgHtDg5xE1A5a4Kshw8GRw+lInuCW4Xjo1AxKMyHhu/NhqNRa9:y4Padsheh6xvyHhu2i

Score

10^/10

formbook g47e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g47e

Decoy

73346.top

matureshift.shop

bohnergroup.com

snehq.store

7pijj.com

wineshopsonline.com

reactivecreditagric.mom

aganderson.net

1800302.vip

942565.com

phonetography.club

garansugar.com

pinetree.email

34245.top

thejoy.run

pointvirtualrx.com

pqz.info

paddleboards.shop

vvapro.info

8peakssustainablelab.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/948-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/948-63-0x000000000041F0E0-mapping.dmp	formbook
behavioral1/memory/948-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1592-72-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/1592-76-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1572	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 948	1032	PONM100021791.exe	29
PID 948 set thread context of 1232	948	PONM100021791.exe	15
PID 1592 set thread context of 1232	1592	wuapp.exe	15

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1032	PONM100021791.exe
948	PONM100021791.exe
948	PONM100021791.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe
1592	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
948	PONM100021791.exe
948	PONM100021791.exe
948	PONM100021791.exe
1592	wuapp.exe
1592	wuapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	PONM100021791.exe
Token: SeDebugPrivilege	948	PONM100021791.exe
Token: SeDebugPrivilege	1592	wuapp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1352	1032	PONM100021791.exe	28
PID 1032 wrote to memory of 1352	1032	PONM100021791.exe	28
PID 1032 wrote to memory of 1352	1032	PONM100021791.exe	28
PID 1032 wrote to memory of 1352	1032	PONM100021791.exe	28
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1032 wrote to memory of 948	1032	PONM100021791.exe	29
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1232 wrote to memory of 1592	1232	Explorer.EXE	30
PID 1592 wrote to memory of 1572	1592	wuapp.exe	31
PID 1592 wrote to memory of 1572	1592	wuapp.exe	31
PID 1592 wrote to memory of 1572	1592	wuapp.exe	31
PID 1592 wrote to memory of 1572	1592	wuapp.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\PONM100021791.exe
  "C:\Users\Admin\AppData\Local\Temp\PONM100021791.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\PONM100021791.exe
    "{path}"
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\PONM100021791.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PONM100021791.exe"
    3⤵
    - Deletes itself
    PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-66-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/948-67-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/948-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-57-0x0000000005420000-0x00000000054A6000-memory.dmp

Filesize
536KB

Download
memory/1032-55-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1032-54-0x0000000000F20000-0x0000000000FCC000-memory.dmp

Filesize
688KB

Download
memory/1032-58-0x00000000009A0000-0x00000000009D4000-memory.dmp

Filesize
208KB

Download
memory/1032-56-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1232-75-0x0000000003EC0000-0x0000000003F7E000-memory.dmp

Filesize
760KB

Download
memory/1232-68-0x0000000004670000-0x00000000047E9000-memory.dmp

Filesize
1.5MB

Download
memory/1232-77-0x0000000003EC0000-0x0000000003F7E000-memory.dmp

Filesize
760KB

Download
memory/1592-71-0x0000000000010000-0x000000000001B000-memory.dmp

Filesize
44KB

Download
memory/1592-73-0x0000000001DD0000-0x00000000020D3000-memory.dmp

Filesize
3.0MB

Download
memory/1592-74-0x00000000020E0000-0x0000000002173000-memory.dmp

Filesize
588KB

Download
memory/1592-72-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1592-76-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing